ad28a59e2234cee44a0eee96aff1c7a71054a40734d289fe0d436e79247ad6d3

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tweaks/1.bat
Size

253B
MD5

ce17bbdf67566edb48a72c10dc53aa19
SHA1

5463f627871b844a098871aa5dbe43ef9f39d09e
SHA256

9ee833b3b341ab2fbbc1b215c2613a3cb947aa5174122f69c87068c54d3b6f8a
SHA512

6c76ccb6b1bf9c40c62c50ab04fe053f7358496eafa0345f14dc0a5f2e29cf58a3f87e301efe876ba9d2ac9f3ca5471d7af991d3f4c7097fd1f55dc9976360da

Score

10^/10

defense_evasion discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1324	bcdedit.exe
1808	bcdedit.exe
1976	bcdedit.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	reg.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2004	takeown.exe
1264	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2004	takeown.exe
1264	icacls.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2056	powercfg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\WallPaper	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeCreatePagefilePrivilege	2056	powercfg.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1324	1960	cmd.exe	31
PID 1960 wrote to memory of 1324	1960	cmd.exe	31
PID 1960 wrote to memory of 1324	1960	cmd.exe	31
PID 1960 wrote to memory of 1808	1960	cmd.exe	32
PID 1960 wrote to memory of 1808	1960	cmd.exe	32
PID 1960 wrote to memory of 1808	1960	cmd.exe	32
PID 1960 wrote to memory of 1976	1960	cmd.exe	33
PID 1960 wrote to memory of 1976	1960	cmd.exe	33
PID 1960 wrote to memory of 1976	1960	cmd.exe	33
PID 1960 wrote to memory of 2056	1960	cmd.exe	34
PID 1960 wrote to memory of 2056	1960	cmd.exe	34
PID 1960 wrote to memory of 2056	1960	cmd.exe	34
PID 1960 wrote to memory of 2856	1960	cmd.exe	35
PID 1960 wrote to memory of 2856	1960	cmd.exe	35
PID 1960 wrote to memory of 2856	1960	cmd.exe	35
PID 1960 wrote to memory of 2004	1960	cmd.exe	36
PID 1960 wrote to memory of 2004	1960	cmd.exe	36
PID 1960 wrote to memory of 2004	1960	cmd.exe	36
PID 1960 wrote to memory of 1264	1960	cmd.exe	37
PID 1960 wrote to memory of 1264	1960	cmd.exe	37
PID 1960 wrote to memory of 1264	1960	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tweaks\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootuxdisabled yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1324
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot on
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1808
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1976
- C:\Windows\system32\powercfg.exe
  powercfg h off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\system32\reg.exe
  reg import 1.reg
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Modify Registry: Disable Windows Driver Blocklist
  - Sets desktop wallpaper using registry
  PID:2856
- C:\Windows\system32\takeown.exe
  takeown /F C:\Windows\System32\dbgeng.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\System32\dbgeng.dll /grant Administrators:D
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1264